RE: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

by

Qingdao Oudu Software Co.,Ltd, Cui Jianping / Jason

- 11/12/2015 04:28:56

Hi Luke,

Thanks for the update and you could be right about this topic. But those people may go beyond the mailing list – they claim to have data including industry, geography, job title, etc. Moreover, they sent English emails to my boss who never responds to foreign language (like English) mailing list like for this community.

I cannot conclude where those data were leaked and I am not implying any source. But fact is someone has collected information about who are Odoo users and who are Odoo resellers. And to sell such data, the records could not be few.

The issue you've described is restricted to these Odoo.com community mailing lists.

Some companies seem to monitor the email addresses on this list and collect them to allow them to cold call/email marketing their Odoo services.

The problem is when you reply to the community mailing lists on Odoo, your email address is visible to recipients of the list. You can take a look at the email headers in this reply as an example to see my email address.

From what I understand of it Odoo collects some anonymised instance usage statistics among other things, however nothing related to your customer's private data, as some seem to be suggesting.

Hi Andreas,

Magento does exactly the same thing, and includes magento branding and links all over its software, like transactional emails, static blocks, etc. Look at the default theme and transactional emails and you'll see what I mean.

Custom extensions and themes can be used to override these defaults. Just like any other open source project (sugarcrm, Wordpress, etc., there are loads of examples) Odoo of course includes branding in key places. It's your job to override these defaults if you don't want them there.

oAuth should be switched off if you're not using it to resolve your problem.

Switch your Odoo user into debug/developer mode and you should find what you need in the technical settings that appear.

I suggest checking out some of the great books on Odoo Development and Odoo functional operations in the packtpub website, as well as the many training MooC training courses available online. They have been an invaluable resource for me along with the Odoo official documentation and the many users in the Odoo community forum help.odoo.com that are often happy to provide insight or advice based on their own experience with the platform.

I am still very much only scratching the surface in terms of my own understanding of Odoo, however I suggest picking apart the code to learn how different things work, and if you can't figure it out ask humbly for help in the mailing lists and help forum. People are often happy to help out if they can, and I have learnt a huge amount just from the advice of others in these two forums.

Privacy IS an issue. We have been approached by emails marketing Odoo user information or potential customers. It is wondered how many more Odoo partners have received such emails. We did not respond, so not sure from where those info was leaked, and what details were in their hands. Also we do not know what details have been exposed from our own implementations.